29.10.2022
Europol’s unlawful data retention threatens the privacy of millions of innocent people

According to investigative journalists, Europol is illegally retaining quadrillions of bytes of data on at least a quarter of a million people – current or former terrorism and serious crime suspects – as well as on many other people they have had contact with throughout their lives. These can be friends, acquaintances, relatives, colleagues and so on.

They may not necessarily or even at all be involved in terrorist crimes, but their data is still in the Interpol databases that have been accumulated over the past six years. They were taken from a currently unknown number of criminal investigations.Such people risk facing all obstacles to their private and professional life in the Union (including freedom of movement).

To draw an analogy, such actions can be compared to a police search of an entire block of flats to find a thief’s apartment.

Is there a threat of collecting personal data of refugees from Ukraine?

Yes, there is, because hackers are actively involved in this and abuse the helplessness and vulnerability of people who have suffered and are fleeing the war. Cyberattacks from Russia and Belarus (the UNC1151 group, linked to the illegitimate government in Minsk) have been recorded against organisations helping Ukrainian refugees and even the Ukrainian Armed Forces. The phishing mostly concerned evacuation routes to the EU.

The problem of human trafficking, mostly of Ukrainian women sold into sexual slavery abroad, was even the topic of a cyber hackathon in the Netherlands.

Migrants and personal data protection

Since 2016, Europol has been collecting information on tens of thousands of asylum seekers in Europe, as well as refugees in Italy and Greece. This results in the personal data of migrants being stored in a criminal database regardless of any links to crime or terrorism. However, Europol has no legal basis to conduct “routine checks” of migrants crossing the border.

However, given the situation with the data, there is no clear certainty about the information stored, as access to the database is restricted to authorised personnel only.

What is the solution to this situation?

In theory, Europol should be subject to strict regulation as to what personal data it can store and for how long. Incoming records should be strictly classified and only processed or stored if they are potentially relevant to important work, such as counter-terrorism.

Europol must also comply with the data protection rules set out in Regulation (EU) 2016/794 and Regulation 2022/991. According to them, the European Data Protection Supervisor (EDPS) obliges Europol to delete data on individuals who have no established link to criminal activity.Data older than 6 months that have not passed this classification must be erased.

This means that Europol will no longer be allowed to indefinitely retain data on people who have not committed crimes or illegal activities. Therefore, Europol now has a 12-month deadline to comply with the EIFD Decision and put its databases in order.

Anna Mysyshyn, PhD in Law, digital rights and data security expert.